Connect with us

Hi, what are you looking for?

HEADLINES

Sophos discovers Epsilon, new pared-down ransomware

While the name and the tooling were unique to this attacker, the ransom note left behind on infected computers resembles the message by REvil ransomware but adds a few minor grammatical corrections. There were no other apparent similarities between the Epsilon Red ransomware and REvil.

Sophos discovered new stripped-down ransomware called Epsilon Red that offloads most of its functionality to a series of PowerShell scripts. It was delivered as the final executable payload in a hand-controlled attack against a US-based business in the hospitality industry in which every other early-stage component was a PowerShell script. Based on the cryptocurrency address provided by the attackers, it appears that at least one of their victims paid a ransom of 4.29BTC on May 15th (valued at roughly $210,000 on that date).

While the name and the tooling were unique to this attacker, the ransom note left behind on infected computers resembles the message by REvil ransomware but adds a few minor grammatical corrections. There were no other apparent similarities between the Epsilon Red ransomware and REvil. 

Sophos found that an enterprise Microsoft Exchange server was the initial point of entry by the attackers into the network, likely due to an unpatched server. The attackers used WMI to install software onto devices inside the network that they could reach from the Exchange server from that machine. 

Like many coined by ransomware threat actors, the name Epsilon Red is a reference to pop culture. A relatively obscure adversary of the X-Men in the Marvel extended universe, Epsilon Red was a “super soldier” of Russian origin, sporting four mechanical tentacles and a lousy attitude. 

Advertisement. Scroll to continue reading.

During the attack, the threat actors launched a series of PowerShell scripts. These include:

  • A script that executes a command to delete Volume Shadow Copies from the infected computer to make it harder for the target to recover some or all of the files encrypted by the attackers
  • A script to uninstall various security and backup programs that might be present on the infected computer. It looks for specific programs and anything with the words “Backup” or “Cloud” in the title bar and then attempts to kill and uninstall it. The attackers also try to disable or kill processes that, if they were running, might prevent complete encryption of valuable data on the hard drive. Examples of this include database services, backup programs, office applications, email clients, QuickBooks, and even the Steam gaming platform
  • A script that appears to be a clone of an open-source tool called Copy-VSS, which an attacker could use to retrieve and crack passwords saved on the computer, according to Sophos researchers
  • According to Sophos researchers, a script appears to be a compiled version of the open-source tool, EventCleaner, created to erase or manipulate the contents of Windows event logs. The attackers used it to remove evidence of what they had done.

Peter Mackenzie, manager of the Sophos Rapid Response team, said: “Epsilon Red is the intriguing new ransomware. The actual ransomware file itself is very pared down, probably because it has offloaded other tasks, such as deleting backups, to the PowerShell scripts. It is only used for file encryption, and it doesn’t precision-target assets: if it decides to encrypt a folder, it will encrypt everything inside that folder. Unfortunately, this can mean other executables and dynamic link libraries (DLLs) are encrypted, which can disable critical running programs or the entire system.  As a result, the attacked machine will need to be rebuilt entirely.

“Sophos’ analysis of the attackers’ behavior suggests they may lack confidence in the reliability of their tools or the potential success of their attack, so they implement alternative options and backup plans in case things fail. For instance, early on in the attack sequence, the operators download and install a copy of Remote Utilities and the Tor Browser, possibly to ensure an alternate foothold if the initial access point gets locked down. In other cases, we see the operators issue redundant commands that use a slightly different method to accomplish the same goal, such as deleting processes and backups. The best way to prevent ransomware such as Epsilon Red from taking hold is to ensure servers are fully patched and that your security solution can detect and block any suspicious behavior and attempted file encryption.”

To learn more about Epsilon Red, read the article on SophosLabs Uncut.

Sophos endpoint products, such as Intercept X, protect users by detecting the actions and behaviors of ransomware and other attacks. The CryptoGuard feature blocks the act of attempting to encrypt files. 

Advertisement. Scroll to continue reading.
Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

Kaspersky has been at the forefront of raising awareness about cybercrimes and empowering individuals and organizations to protect themselves.

HEADLINES

“We remind our customers to carefully inspect URLs before opening them. Criminals often use spellings very close to legitimate domains to deceive customers into...

HEADLINES

For the Philippines, PH-CERT and NADPOP estimate that the country needs 180,000 trained and validated cybersecurity professionals to proactively and effectively protect the country’s...

White Papers

46% of geo-distributed companies encountered network problems between one and three times per month, while 13% stated they experienced network challenges every week. The...

HEADLINES

“Data is the new oil. Cyber criminals steal personal information to defraud you or use your identity to victimize people close to you. Guard...

White Papers

According to the report, among organizations surveyed, 97% of those hit by ransomware over the past year engaged with law enforcement and/or official government...

HEADLINES

This development marks a major step forward in Globe's long-standing #PlayItRight advocacy to help promote and protect the country’s ₱1.6-trillion creative industry from the...

HEADLINES

Spoofing is a technique where fraudsters impersonate SMS channels to deceive recipients. The practice has seen a marked rise, especially in Metro Manila, with...

Advertisement